lsc is installed and a posixgroup -> groupofnames syncher is configured

This commit is contained in:
Tobias Herre 2020-08-21 21:28:40 +02:00
parent 2ed29c601f
commit baae769be1
2 changed files with 186 additions and 0 deletions

View File

@ -259,9 +259,18 @@ class wmdeit_ldap (
file {"/etc/default/lsc":
ensure => file,
content => template("wmdeit_ldap/lsc.erb")
} ->
file {"/etc/lsc/lsc.xml":
ensure => file,
content => template("wmdeit_ldap/lsc.xml.erb")
} ->
service {"lsc":
ensure => running,
subscribe => File["/etc/lsc/lsc.xml"],
}
# openldap::server::globalconf { 'TLSVerifyClient':
# ensure => present,
# value => { "TLSVerifyClient"=>"never" }

177
templates/lsc.xml.erb Normal file
View File

@ -0,0 +1,177 @@
<?xml version="1.0" ?>
<!--
In the following file, comments are describing each node. Elements are
referenced through XPath expression, whereas attributes are prefixed with
'@'
//lsc Root node of the XML configuration file
@xmlns XML Schema validation is not ready yet (Reserved for futur use)
@id optional, added by XML API
@revision mandatory, used by the Web Administration Interface to version
this file
-->
<lsc xmlns="http://lsc-project.org/XSD/lsc-core-2.1.xsd" revision="0">
<!-- ./connections Connections list node, must contain at least two connections -->
<connections>
<ldapConnection>
<name>ldap-conn</name>
<!-- ./url mandatory, the JNDI URL -->
<url>ldap://localhost:389/dc=wikimedia,dc=de</url>
<!-- ./username mandatory, the DN to bind with -->
<username>cn=admin,dc=wikimedia,dc=de</username>
<!-- ./password mandatory, credentials to bind with -->
<password>123</password>
<!-- ./authentication mandatory, must contain either
ANONYMOUS, SIMPLE, SASL, GSSAPI or DIGEST_MD5 -->
<authentication>SIMPLE</authentication>
<!-- ./referral mandatory, must contain either IGNORE,
THROUGH, THROW or FOLLOW -->
<referral>IGNORE</referral>
<!-- ./derefAliases mandatory, must contain either NEVER,
SEARCH, FIND, ALWAYS -->
<derefAliases>NEVER</derefAliases>
<!-- ./version mandatory, must contain either VERSION_2, VERSION_3 -->
<version>VERSION_3</version>
<!-- ./pageSize optional, specify the paged size when searching -->
<pageSize>-1</pageSize>
<!-- ./factory mandatory, points to LDAP Context Factory,
com.sun.jndi.ldap.LdapCtxFactory for a SUN JDK -->
<factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
<!-- ./tlsActivated optional, specify if SSL/TLS is activated
to connect to the LDAP server -->
<tlsActivated>false</tlsActivated>
</ldapConnection>
</connections>
<tasks>
<task>
<name>groupsync</name>
<bean>org.lsc.beans.SimpleBean</bean>
<ldapSourceService>
<name>group-source-service</name>
<connection reference="ldap-conn" />
<baseDn>dc=wikimedia,dc=de</baseDn>
<pivotAttributes>
<string>cn</string>
</pivotAttributes>
<fetchedAttributes>
<string>cn</string>
<string>memberUid</string>
</fetchedAttributes>
<getAllFilter><![CDATA[(objectClass=posixGroup)]]></getAllFilter>
<getOneFilter><![CDATA[(&(objectClass=posixGroup)(cn={cn}))]]></getOneFilter>
<cleanFilter><![CDATA[(&(objectClass=posixGroup)(cn={cn}))]]></cleanFilter>
</ldapSourceService>
<ldapDestinationService>
<name>group-dst-service</name>
<connection reference="ldap-conn" />
<baseDn>dc=wikimedia,dc=de</baseDn>
<pivotAttributes>
<string>cn</string>
</pivotAttributes>
<fetchedAttributes>
<string>cn</string>
<string>member</string>
<string>objectClass</string>
</fetchedAttributes>
<getAllFilter><![CDATA[(objectClass=groupeOfNames)]]></getAllFilter>
<getOneFilter><![CDATA[(&(objectClass=groupOfNames)(cn={cn}))]]></getOneFilter>
</ldapDestinationService>
<propertiesBasedSyncOptions>
<mainIdentifier>js:"cn=" + javax.naming.ldap.Rdn.escapeValue(srcBean.getDatasetFirstValueById("cn").toLowerCase()) + ",dc=wikimedia,dc=de"</mainIdentifier>
<defaultDelimiter>;</defaultDelimiter>
<defaultPolicy>FORCE</defaultPolicy>
<conditions>
<create>true</create>
<update>true</update>
<delete>true</delete>
<changeId>true</changeId>
</conditions>
<dataset>
<name>objectclass</name>
<policy>KEEP</policy>
<createValues>
<string>"groupOfNames"</string>
<string>"posixGroup"</string>
<string>"top"</string>
</createValues>
</dataset>
<dataset>
<name>member</name>
<policy>FORCE</policy>
<forceValues>
<string>
<![CDATA[rjs:
var membersSrcUid = srcBean.getDatasetValuesById("memberUid");
var membersDstDn = new java.util.ArrayList();
for (var i=0; i<membersSrcUid.size(); i++) {
var memberSrcUid = membersSrcUid.get(i);
var dn = "uid=" + memberSrcUid + ",ou=users,dc=example1000,dc=com";
membersDstDn.add(dn);
}
membersDstDn
]]>
</string>
</forceValues>
</dataset>
</propertiesBasedSyncOptions>
</task>
</tasks>
<!-- ./audits Audits list node -->
<audits>
<!--./audit Audit node, here a CSV audit, may also be a LDIF or any contributed audit type -->
<csvAudit>
<!-- ./name mandatory, audit name -->
<name>csv</name>
<!-- ./append optional, default to false, specify to create a new log file or to append to the existing one -->
<append>true</append>
<!-- ./operations optional, comma separated list of operations (create, delete, update or rename) -->
<operations>create, delete</operations>
<!-- ./file mandatory, define the location of the file where the CSV data will be written -->
<file>/tmp/dump.csv</file>
<!-- ./datasets optional, comma separated list of datasets modification to log -->
<datasets>cn, dn</datasets>
<!-- ./separator optional, default to ";", specify the values separator -->
<separator>,</separator>
</csvAudit>
</audits>
<!-- ./security This mandatory node contains the security settings used by LSC -->
<security>
<!-- ./encryption This optional node contains the encryption settings -->
<encryption>
<!-- ./keyfile This optional node contains the keyfile location -->
<keyfile>etc/lsc.key</keyfile>
<!-- ./algorithm This optional node contains the encryption algorithm -->
<algorithm>AES</algorithm>
<!-- ./strength This optional node contains the algorithm key length -->
<strength>128</strength>
</encryption>
</security>
</lsc>